Benefits of Threat Modeling

Threat modeling – also called architectural risk analysis - is a systematic method for analyzing the security of an application. It is a key part in the application development: you cannot build secure applications until you understand the threats.

It is important to understand the difference between a software bug and a design flaw. A classic buffer overflow bug in C-code or SQL injection vulnerability in a web application are implementation problems. A flaw is a mistake in the design or architecture. A security flaw is manifested in the application even if the code is written as designed.

Common design flaws

Few examples of common design flaws:

  1. Insufficient authentication and authorization – can lead to complete compromise of your application and its data.
  2. Broken session management – after a successful attack, the attacker can do anything the victim could do.
  3. Insecure external components – many applications use external pieces of software such as open source libraries. They may increase the attack surface and introduce new threats.

Threat modeling steps

Threat modeling helps to find and address design flaws and it is typically performed in four steps:

  1. What are we working on? Identify the assets (things we want to protect) and the attack vectors (entry/exit points).
  2. What can go wrong? Identify threats. Anything that can compromise or damage your assets is a threat.
  3. What are we going to do about it? Mitigate the threats and reduce risk.
  4. Did we do a good job? Validate the previous steps.

This four-question framework gives the needed structure for threat modeling, but also helps to build a correct mindset. Threat modeling is not that difficult especially when software and security engineers work in co-operation.

Many people think that only security engineers can do threat modeling. That is not true. Threat modeling should be similar to version control.

“…no professional developer would think of building software of any complexity without a version control system of some form. Threat modeling should aspire to be that fundamental.” – Threat Modeling: Designing for Security

Every developer or software project manager knows version control. They should also know a little bit of threat modeling as part of their work.

When and why?

Threat modeling has proven to be useful in eliminating security vulnerabilities in the design phase. We recommend using this method proactively as a part of organization’s development lifecycle, because this allows you the prevent security issues when there is time to fix them. It is also good to remember that finding and fixing security issues after delivery can be very expensive.

While it is important to perform threat modeling during the design phase, it is also important to analyze legacy software. Software without evidence of threat modeling or security engineering are likely to contain security issues.

Threat modeling existing software is challenging and time-consuming, but it is often worth the effort. For example, if you want to security test an existing application, a threat model enables the test team to focus their efforts on risky areas.

In either case, it is important to keep the threat model up-to-date. Any change in application, related technologies, threat landscape etc. should lead to a threat model review and update.  

Benefits of threat modeling

Threat modeling allows you to:

  • Identify and address the biggest threats.
  • Plan mitigations on identified and documented threats, not on a gut feeling.
  • Eliminate security issues in the design phase.
  • Make security decision rationally.
  • Increase the security posture of your application and organization in a cost effective manner.
  • Prioritize development and testing efforts based on identified threats.
  • Calculate the residual risk, which helps you to understand how secure your software is.

Want to learn more?

I collected some good online resources in case you want to learn more about threat modeling:

You can also contact us if you need help with threat modeling in practice.